Documentation forPapertrail

Single Sign-On (SSO) via SAML

SolarWinds AppOptics, Pingdom, and Papertail products support single sign-on via SAML 2.0 integration. SAML (Security Assertion Markup Language) is an industry standard used to provide single sign-on (SSO) by authenticating against a particular identity provider (IdP). Users can log into their Active Directory domain or intranet and have immediate access to these SolarWinds products, without requiring additional log-in.

When SSO is enabled, organization members must authenticate against IdP, unless the user account is identified as a service account. Service accounts are allowed to log in with a separate username and password. See Set up service accounts.

Configure SAML

The SAML configuration page is only available to the organization owner and can be accessed via the Security section under the Account page. To open the SAML configuration page, click the Enable SAML button.

configure-image

Integrate SAML

  1. Use the three SolarWinds URLs when configuring your Identity Provider (IdP) for integration with SolarWinds Application Management products.

  2. Find the following information from the Identity Provider and enter it in the fields provided:

    • Issuer (Entity ID)

    • SAML URL

    • Single Logout URL (optional)

    • Identity Provider X.509 certificate, provided in a PEM format with a proper prefix and suffix. See example below.

  3. Save the configuration.

  4. Click the toggle on the right side of the SAML pane to enable SAML integration for the organization. All organization members except the owner will be logged out of Papertrail.

    Organization members can login either via the IdP or the dedicated login screen that is available from the login screen (see Log in with SSO credentials).

    For a member to be able to use IdP initiated login, set the NameID attribute to user.email value. The member must be known to the provider and exist in PaperTrail, Pingdom, or AppOptics.

SSO configuration information for various identity providers

SSO configuration can vary between Identity Providers. The following list provides links to the appropriate IdP documentation:

Additional SAML integration information

If SAML integration is disabled, legacy users (those who existed in the organization before SAML was enabled) should use their original password to log into the product. Users added after the integration will have to perform a password reset.

The organization owner can invite new Application Management users known to the IdP into the SAML-enabled organization or use role mapping to grant immediate access all users in an IdP user group.

Set up role mapping

Role mapping allows you to define organization and product roles, as well as grant access to logs and billing plans, based on the account's IdP group membership. Members added to an IdP group will automatically gain access to any organization or product role mapped to that group. If a new user is added to a mapped IdP user group, a SolarWinds Unified Login account will be created for the user automatically.

Once role mapping is turned on, the user's product and organization roles will be updated to match the roles assigned via Role Mapping, the Members area of the account settings will be updated to reflect members' permissions as defined in SAML role mapping, and access control permissions can only be changed in SAML settings. Read this article for more information about how role mapping affects Papertrail's member access levels.

Product or organization roles previously set on a per-user basis will not be restored if role mapping is disabled.

To map roles to group memberships, select the Role Mapping tab and click Enable Role Mapping.

To map an organization role, select the field for the role you wish to map, type the name of an identity provider group, and press enter.

The organization owner role cannot be defined via role mapping.

To grant members of an IdP group access to groups of log senders or set specific permissions for managing users, changing plans, and purging logs, click the field for the permission level, type the name of an identity provider group, and press enter.

The following permissions are available to map for Papertrail:

  • Manage users and permissions — full access to everything; the highest permission level a member can have.
  • Change plans and payment — upgrade or downgrade the organization’s plan, modify credit card information, and see previous payments.
  • Full Access — view logs, modify group details, save searches, and create alerts.
  • Read-only — view logs only, cannot modify group details, save searches, or create alerts.
  • Purge logs — purge searchable logs.
  • Specific group access — provides access to only specific log groups instead of all groups. Any group that is not specified will not be accessible at all, even as read-only.

When role mapping is enabled or disabled, all organization members except the owner will be logged out of Papertrail.

Additional role mapping information

Every time an organization member logs into Papertrail, the organization's IdP is accessed and read.

If an IdP group is mapped to multiple product or organization roles, the role with the most access will be used for that group.

Set up service accounts

With service accounts, users can log in to Papertrail with either their SAML login or their SolarWinds Unified Login account's username and password. Organization owner accounts are automatically included as a service account.

To define a user account as a service account and allow the user options for how they log in, click the Service Accounts tab and type the user's email address in the Accounts field or select the user from the dropdown.

Once all service accounts are defined, click Save.

Log in with SSO credentials

Click Log in with Single Sign On from the Papertrail login page, enter your organization email address, and click Log in with Single Sign On. If you are not already logged into your identity provider, you will be prompted to log in with your identity provider first.